Simple verification procedures for HSBC e-payment app PayMe allowed hackers to carry out unauthorised transactions after luring victims into disclosing their email passwords using phishing scams, a police source said on Friday.

Cybersecurity experts have called on the bank to introduce two-factor authentication, which requires users to provide an additional piece of information besides a password.

HSBC said on Thursday night that about 20 accounts with the e-wallet system had been accessed without authorisation, and transactions carried out involving HK$100,000 (US$12,770).

The breach had been reported to police and the Hong Kong Monetary Authority, the bank said.

A veteran policeman with knowledge of the incident said hackers posing as an email service provider had sent out phishing emails asking victims to submit their passwords to initiate an update to their accounts.

“That’s how the victims’ email accounts were hacked. But the scammers then looked for PayMe notifications in their emails, and if they saw one, would send a message to the app requesting a password change,” the source said.

“The hackers could then control their victims’ PayMe accounts. PayMe has no security issue as such, but the verification process is way too easy.”

Chester Soong, director of the Internet Society Hong Kong, said two-factor authentication should be adopted, which requires information other than a password, such as a thumbprint, face scan, ID card number or passcode sent to a phone.

“When a user wants to change something as critical as the login information, then stronger authentication should be in place,” he said.

There were a variety of ways email accounts could be compromised and then used to request password changes for affiliated services, Fong said.

A one-time verification code sent to a user’s mobile phone was a crucial way to ensure passwords were not reset without an account holder’s knowledge, he added.

Data security expert Michael Gazeley said customers needed to be vigilant about their personal information and not use the same password across multiple platforms. But ultimately it fell to companies to secure the data, he added, and breaches were becoming commonplace.

“Institutions have to wake up and take responsibility. They can’t keep writing more and more powerful disclaimers,” said Gazeley, the managing director of cybersecurity service provider Network Box Corporation.

HSBC on Friday said PayMe itself was secure and had “not suffered any breaches”.

“We have taken immediate action to block this threat and have contacted the affected customers, who will be compensated for the unauthorised transactions,” the bank said in a statement.

Last month the Monetary Authority said there had been 10 suspected cases of fraud involving a new e-payment system it recently rolled out.

The authority said HK$400,000 had been stolen from customers on the platform, which allows for instant transfer of funds between banks and e-wallet operators.

PayMe, launched in Hong Kong last year, was not affected, as it had yet to join the system.